Has increased media attention on cybersecurity improved communication between board leadership and CIOs/CISOs?

242 views3 Comments

CIO Strategic Advisor in Services (non-Government), 2 - 10 employees
I went to assess an organization once at a publicly traded company. I looked at the CIO and their organization, who was brought in by someone above them; the CISO in their organization; how they were presenting to the board and what they were presenting to the board. The scary thing is they were presenting information to the board to give them a false sense of security. They were telling them what they wanted to hear, not what was actually happening—then a breach would happen. During my time working with this company, a breach had just happened before my arrival and a second breach happened while I was still there. And then a third breach happened, right toward the end of my time working with them. The end result was they finally lost confidence in both their CISO and CIO and the whole organization was decimated, which was great for them.

But this situation is not an outlier. I see this happening across organizations where the relationship between the board and the CIO is not strong, and they're not having transparent, candid conversations. I can give you plenty more examples of publicly traded companies in which CIO and board don't have a good relationship if they have a relationship at all. And if that gap is a problem, the gap between the board and the CISO is an even bigger problem. There's not enough conversation or work to try and close that gap. And that's part of the core issue with cybersecurity—that's the big elephant in the room.
CEO in Software, 11 - 50 employees
The best time for a CISO is to come in right after a major failure. Because at that point in time, the world says, "You're the most important person." Before that, everything you do is considered an extra or a cost that actually reduces customers’ ability to use our environment as efficiently and effectively as I'd like them to, whether they're employees or external customers. That's a sad state of affairs.
CIO in Telecommunication, 1,001 - 5,000 employees
Our board is very well engaged. I report into the Audit Committee, which also has a cybersecurity component. Every quarter since we established the CISO organization, we present our roadmap. We also meet with a couple of our board members quarterly for guidance and to find out what they are seeing in the broader industry. They sit on various other boards, so it's good to get their input.

I've been with Viavi for a couple years now in the CIO role and when I joined, there was no CISO organization. I said that we need to have a dedicated service organization, it cannot be embedded within an organization. So we created three competencies within IT. One is business applications, planned operations and cybersecurity, so we appointed a CISO. And we also looked at benchmarks for the industry standard of how much spend is ideal for a CISO organization. If you don't allocate a resource, both in terms of manpower and budget, it's a CISO in name only. You need to empower those teams to make sure that they get the things done.

Content you might like

Yes, business is a stakeholder in society and should take a public position62%

No, it is not the role of business to take a position on social challenges32%

Not sure6%



Our team will have the option to work remotely for all or part of the week42%

Our team will return to the office as soon as it is safe to do so32%

Our team will permanently work remotely13%

Our team has already returned to the office10%

Our team never left the office to work remotely1%



1k views1 Comment

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41k views131 Upvotes319 Comments